Pandemics are defined as epidemics or outbreaks in humans
of infectious diseases that have the ability to spread rapidly over
large areas, possibly worldwide. Several pandemics have occurred
throughout history, and experts predict that we will experience at
least one pandemic outbreak in this century.

The current threat originates from an outbreak of avian flu in
Asia. It is unknown if an avian virus will result in a human
pandemic. The widespread nature of this virus in birds and the
possibility that it may mutate over time raise concerns that it
will become transmissible among humans, with potentially
devastating consequences. The united Sates Government has issued a
National Strategy that discusses the threat and potential impact of
a pandemic influenza event. The implementation Plan for the
National Strategy identifies roles and responsibilities for the
federal government, the private sector, and others.

The adverse economic effects of a pandemic could be significant,
both nationally and internationally. Due to their crucial financial
and economic role, financial institutions should have plans
in place that describe how they will manage through a pandemic
event. Sound planning should minimize the disruptions to
the local and national economy and should help the institution
maintain the trust and confidence of its customers.

DIFFERENCES BETWEEN TRADITIONAL BUSINESS CONTINUITY
PLANNING AND PANDEMIC PLANNING

There are distinct differences between pandemic planning and
traditional business continuity planning. When developing business
continuity plans, financial institution management typically
considers the effect of various natural or man-made disasters that
differ in their severity. These disasters may or may not be
predictable, but they are usually short in duration or limited in
scope.As evidenced by Hurricane Katrina,
while the duration of a specific natural disaster may be relatively
brief, the social and economic recovery from such events can be
prolonged. In most cases, malicious activity, technical
disruptions, and natural/man-made disasters typically will only
affect a specific geographic area, facility, or system. These
threats can usually be mitigated by focusing on resiliency and
recovery considerations.

Pandemic planning presents unique challenges to financial
institution management when developing their continuity plans.
Unlike natural disasters, technical disasters, malicious acts, or
terrorist events, the impact of a pandemic is much more difficult
to determine because of the anticipated difference in scale and
duration. The nature of the global economy virtually ensures that
the effects of a pandemic event will be widespread and threaten not
just a limited geographical region or area, but potentially every
continent. In addition, while traditional disasters and disruptions
normally have limited time durations, pandemics generally occur in
multiple waves, each lasting two to three months. Consequently, no
individual or organization is safe from the adverse effects that
might result from a pandemic event will be staffing shortages due
to absenteeism. These differences and challenges highlight the need
for all financial institutions, no matter their size, to plan for a
pandemic event when developing their BCP.

Pandemic plans should be sufficiently flexible to effectively
address a wide range of possible effects that could result from a
pandemic. Pandemic plans need to reflect the institution's size,
complexity, and business activities. The potential impact of a
pandemic on the delivery of a financial institution's critical
financial services should be incorporated into the ongoing business
impact analysis and risk assessment processes. The institution's
BCP should then be revised, if needed, to reflect the conclusions
of its business impact analysis and risk assessment.

To address the unique challenges posed by a pandemic. The
financial institution's BCP should provide for:

A preventive program to reduce the likelihood
that an institution's operations will be significantly affected by
a pandemic event, including: monitoring of potential outbreaks,
educating employees, communicating and coordinating with critical
service providers and suppliers, in addition to providing
appropriate hygiene training and tools to employees.

A documented strategy that provides for
scaling the institution's pandemic efforts so they are consistent
with the effects of a particular stage of a pandemic outbreak, such
as first cases of humans contracting the disease overseas, first
cases within the United States, and first cases within the
organization itself.The World Health
Organization (WHO) tracks the status of virus transmission using a
six phase scale; the U.S. Government uses a six stage scale that
has a geographic focus. Financial institutions should be familiar
with and monitor both sources. The strategy will also need
to outline plans that state how to recover from a pandemic wave and
proper preparations for any following wave(s).

Comprehensive framework of facilities, systems, or
procedures that provide the organization the capability to
continue its critical operations in the event that large
numbersA planning assumption from The
Implementation Plan for the National Strategy for Pandemic
Influenza is that rates of absenteeism will depend on the severity
of the pandemic. In a severe pandemic, absenteeism attributable to
illness, the need to care for ill family members, and fear of
infection may reach 40 percent during the peak weeks of a community
outbreak, with lower rates of absenteeism during the weeks before
and after the peak. Certain public health measures (closing
schools, quarantining household contacts of infected individuals,
"snow days") are likely to increase rates of absenteeism. of
the institution's staff are unavailable for prolonged periods. Such
procedure could include social distancing to minimize staff
contact, telecommuting, redirecting customers to electronic banking
services, or conducting operations from alternative sites. The
framework should consider the impact of customer reactions and the
potential demand for, and increased reliance on, online banking,
telephone banking, ATMs, and call support services. In addition,
consideration should be given to possible actions by public health
and other government authorities that may affect critical business
functions of a financial institution.

A testing program to ensure that the
institution's pandemic planning practices and capacities are
effective and will allow critical operations to continue.

An oversight program to ensure ongoing review and
updates to the pandemic plan so that policies, standards,
and procedures include up-to-date, relevant information provided by
government sourcesSee References at the end
of this Appendix for specific U.S. Government and industry
association guides covering pandemic planning. or by the
institution's monitoring program.

The traditional BCP methodologies detailed in the FFIEC's
Business Continuity Planning booklet provide a sound framework for
institutions of all types in developing plans for pandemic events.
Institutions should review the following:

The National Strategy for Pandemic Influenza
(National Strategy) and the Implementation Plan for the National
Strategy for Pandemic Influenza (National Implementation Plan)
issued by the federal government provide a complete guide to
pandemic planning. The documents can be found at: http://www.pandemicflu.gov/.

The financial Services Sector Coordinating Committee issued a
Statement on Preparations for Avian Flu, which
provides industry-developed guidance for financial institutions
preparing for the potential of a serious influenza epidemic. The
document can be found at: https://www.fsscc.org/influenza/financial
panning.jsp.

The Departments of Homeland Security (DHS) published
The Pandemic Influenza Preparedness, Response, and Recovery
Guide for Critical Infrastructure and Key Resources. This
document is one of the tools DHS developed to enhance pandemic
planning. It provides a source listing of primary government and
pandemic influenza-specific background material, references, and
contacts. Institutions may find the Continuity of
Operations-Essential (COP-E) planning process especially useful.
The document can be found at: http://www.pandemicflu.gov/plan/pdf/cikrpandemicinfluenzaguide.pdf.

The Department of Health and Human Services Center for Disease
Control published Interim Pre-pandemic Planning Guidance:
Community Strategy for Pandemic Influenza Mitigation in the United
States - Early, Targeted, Layered Use of Nonpharmaceutical
Interventions. This document provides information about
community actions that may be taken to limit the impact from
pandemic influenza when vaccine and antiviral medications are in
short supply or unavailable. Financial institutions may be asked to
plan for the use of the identified interventions to help limit the
spread of a pandemic, prevent disease and death, lessen the impact
on the economy, and keep society functioning. The document can be
found at: http://www.pandemicflu.gov/plan/community/commitigation.html.

The Department of Health and Human Services (DHHS) has
published a series of checklists that are intended to aid
preparation for a pandemic in a coordinated and consistent manner
across all segments of society. Included are checklists for state
and local governments, for U.S. businesses with overseas
operations, for the Workplace, for Individuals and Families, for
Schools, for Health Care and for Community Organizations. They can
also be found at: http://www.pandemicflu.gov/.

PHASES: PLANNING, PREPARING, RESPONDING, AND
RECOVERING

Traditional business continuity and pandemic planning require
management to follow a cyclical process of planning, preparing,
responding, and recovering. However, pandemic planning requires
additional actions to identify and prioritize essential functions,
employees, and resources within the institution and across other
business sectors. The issues discussed below highlight the specific
challenges faced by management and the mitigating controls that
should be considered when developing a pandemic plan.

BOARD AND SENIOR MANAGEMENT
RESPONSIBILITIES

As with other BCP activities, pandemic planning should not be
viewed as solely an Information Technology (IT) issue, but rather
as a significant risk to the entire business. As such, an
institution's pandemic planning activities should involve senior
business management from all functional, business and product
areas, including administrative, human resources, legal, IT support
functions, and key product lines.

An institution's board of directors is responsible for
overseeing the development of the pandemic plan. The board or a
committee thereof should also approve the institution's written
plan and ensure that senior management is investing sufficient
resources into planning, monitoring, and testing the final plan.
Senior management is responsible for developing the pandemic plan
and translating the plan into specific policies, processes, and
procedures.

Senior management is also responsible for communicating the plan
throughout the institutions to ensure consistent understanding of
the key elements of the plan and to ensure that employees
understand their role and responsibilities in responding to a
pandemic event. Finally, senior management is responsible for
ensuring that the plan is regularly tested and remains relevant to
the scope and complexity of the institution's operations.

INCORPORATING PANDEMIC RISK INTO THE BUSINESS IMPACT
ANALYSIS (BIA)

The potential effects of a pandemic should be a part of the
financial institution's overall BCP business impact analysis (BIA).
The BIA should:

Assess and prioritize essential business functions and
processes that may be affected by a pandemic;

Identify the potential impact of a pandemic on the
institution's essential business functionsThe Department of Homeland Security (DHS)
Continuity of Operations - Essential (COP-E) planning process may
be useful here. It is contained in the Pan-demic Influenza
Preparedness, Response, and Recovery Guide and is available at:
http://www.pandemicflu.gov. and processes, and supporting
resources;

Identify the potential impact of an pandemic on customers:
those that could be most affected and those that could have the
greatest impact on the (local) economy;

Identify the legal and regulatory requirements for the
institution's business functions and processes;

Estimate the maximum downtime associated with the institution's
business functions and processes that may occur during a
pandemic;

Assess cross training conducted for key business positions and
processes; and

Evaluate the plans of critical service providers for operating
during a pandemic. Financial institutions should evaluate the plans
and monitor the servicers to ensure critical services are
available. Financial institutions may wish to have back-up
arrangements to mitigate any risk. Special attention should be
directed at the institution's ability to access leased premises and
whether sufficient internet access capacity is available if
telecommuting is a key risk mitigation strategy.

Incorporating the impact of pandemic risk into the institution's
BCP involves additional complexity since typical disaster or
emergency response mechanisms and methods may not be feasible. For
example, moving employees to an alternate facility that is
typically used during a natural disaster or other emergency, may
not be an appropriate or feasible way to continue operations in a
pandemic. There may be a shortage of available staff to relocate
and it is possible that the alternate site might be affected by the
pandemic. DHS provides a list of twelve planning assumptions that
institutions should consider when developing the impact
analysis.See The National Implementation
Plan at
http://www.pandemicflu.gov/plan/community/commitigation.html.

The pandemic issues considered in the impact analysis also
should involve forecasting employee absenteeism and considering
family care issues that may affect business operations.See The National Implementation Plan at
http://www.pandemicflu.gov/plan/community/commitigation.html.
DHS believes rates of absenteeism will depend on the severity of
the pandemic. In a severe pandemic, absenteeism attributable to
illness, the need to care for ill family members and fear of
infection may reach 40 percent during the peak weeks of a community
outbreak, with lower rates of absenteeism during the weeks before
and after the peak. Certain public health measures (e.g. closing
schools, quarantining household contacts of infected individuals,
or altering or ceasing public transportation schedules) are likely
to increase the rate of absenteeism.

A key part of an institution's BIA that addresses pandemics is
to examine external factors. For example, assessing the impact of
critical interdependencies will involve making planning assumptions
regarding the availability of external services and prioritizing
the effect of possible disruptions. In addition, potential travel
restrictions imposed by health and emergency management officials
may limit access to those services, even if they are still
operating.

RISK ASSESSMENT/RISK MANAGEMENT

As noted in the main body of this booklet, the institution's
risk assessment process is critical and has a significant bearing
on whether BCP efforts will be successful. Important risk
assessment and risk management steps that are important for
pandemic planning include;

Prioritizing the severity of potential business disruptions
resulting from a pandemic, based on the institution's estimate of
impact and probability of occurrence on operations.

Performing a "gap analysis" that compares existing business
processes and procedures with that is needed to mitigate the
severity of potential business disruptions resulting from a
pandemic;

Developing a written pandemic plan to follow during a possible
pandemic event;

Reviewing and approving the pandemic plan by the board or a
committee thereof and senior management at least annually; and

Communicating and disseminating the plan and the current status
of pandemic phases to employees. Specific risk assessment and risk
management actions arising from a pandemic include the
following:

Coordination with Outside Parties

Open communication and coordination with outside groups,
including critical service providers is an important aspect of
pandemic planning. Financial institutions should coordinate
information sharing efforts through participation in business and
community working groups and develop coalitions with outside
parties to provide support and maintenance for vital services
during a pandemic. Efforts could include consideration of
cooperative arrangements with other financial institutions within
the institution's geographical trade area. In addition, management
should coordinate its pandemic planning efforts with local public
health and emergency management teams, identify authorities that
can take specific actions (e.g., who has the ability to close a
building or alter transportation), and plan to alert local and
state agencies regarding significant employee absenteeism that may
be caused by a sudden pandemic outbreak. Communication with
customers and the media is also critical to ensure that accurate
information is disseminated about business operations.

Critical interdependency challenges require management to ensure
an adequate reserve of essential supplies and to proactively manage
maintenance of equipment to ensure sustainability during potential
weakness in the service and supply chains, and develop potential
alternatives for obtaining critical service and supplies.

Triggering Events

Identification of A triggering event occurs when an
environmental change takes place that requires management to
implement its response plans based on the pandemic alert status.
Alerts may be issued by various organizations that have developed
surveillance systems to monitor the progression of viral outbreaks.
Depending on the severity of the alert, management may need to act
quickly to implement elements of its pandemic response plans.
Therefore, it is important for financial institution management to
monitor national and international pandemic news sources in order
to be aware of potential outbreaks. Management should monitor
websites devoted to national health care issues, identify key
points of contact for emergency and health care organizations, and
assess potential implications for the financial institution if a
pandemic occurs. Management also should communicate to employees
and key service providers the actions it plans to take at specific
triggering points.

Employee Protection Strategies

Employee protection strategies are crucial to sustain an
adequate workforce during a pandemic. Institutions should promote
employee awareness by communicating the risks of a pandemic
outbreak and discussing the steps employees can take to reduce the
likelihood of contracting a pandemic virus. The following risk
management strategies should also be considered:

Publicize the Centers for Disease control and Prevention "Cover
Your Cough" and "Clean Your Hands" programs or other general
hygiene programs;

Encourage employees to avoid crowded places and public
transportation systems;

Implement "social distancing"_ techniques to minimize typical
face-to-face contact through the use of teleconference calls, video
conferencing, flexible work hours, telecommuting, encouraging
customers to use online or telephone banking services, ATMs and
drive-up windows; and

Despite the unique challenges posed by a pandemic, there are
control processes that management can implement to mitigate risk
and the effects of a pandemic. For example, to overcome some of the
personnel challenges, management should ensure that employees are
cross-trained and that succession plans have been developed. The
institution may be able to leverage plans already established as
part of traditional business continuity planning.

Remote Access

During a pandemic there may be a high-reliance on employees
telecommuting, which could put a strain on remote access
capabilities such as capacity, bandwidth, and authentication
mechanisms. Moreover, employees who typically work onsite may not
have remote access authority or the necessary technology
infrastructure to work at home. Analysis of remote access
capabilities, mapping of related technology infrastructure to
employee needs during a pandemic, assessing the infrastructure at
the neighborhood level, and considering internal and external
capacity are necessary to help ensure telecommuting strategies will
work during a pandemic.

RISK MONITORING AND TESTING

As information from medical and governmental experts about the
causes and effects of a pandemic continues to evolve, and
institution's pandemic plan must be sufficiently flexible to
incorporate new information and risk mitigation approaches. As a
result, risk monitoring and testing of the pandemic plan is
important to the overall planning process. A key challenge for
management is developing a testing program that provides a high
degree of assurance that critical business processes, including,
supporting infrastructure, systems, and applications, will function
even during a severe pandemic.

A robust program should incorporate testing:

Roles and responsibilities of management, employees, key
suppliers, and customers;

Test results should be reported to management, with appropriate
updates made to the pandemics plan and testing program.

Testing for a pandemic may require variations to the scope of
traditional disaster recovery and business continuity testing, as
potential test scenarios will most likely be different.
Alternatives for pandemic testing can include: well orchestrated
"work at home" days for critical and essential employees to test
remote access capabilities and infrastructure; crisis management
team communication exercises; table top exercises that test various
scenarios related to escalated absenteeism rates; additional or
modified call-tree exercises; and community, regional or
industry-wide exercises with members of the financial services
sector to test the financial sector's ability to respond to a
pandemic-like crisis.

REFERENCES

In addition to references included above, institutions may find
these web sites helpful in their pandemic planning activities:

The official Federal web site, http://www.pandemicflu.gov,
contains the complete text of the National Strategy for Pandemic
Influenza and other important, related details.